Redactable Signature Schemes: the path towards a fully compliant Cryptographic signature

  • Home
  • Redactable Signature Schemes: the path towards a fully compliant Cryptographic signature
14 May

Redactable Signature Schemes: the path towards a fully compliant Cryptographic signature

Your main field(s) of activity

Standardising so called redactable signature schemes: a special but well researched type of cryptographic signature schemes that fulfills Integrity and Authenticity guarantees following EU eIDAS signature regulation and at the same time allow to remove signed data such that it complies with data protection regulation EU GDPR. Active as editor for ISO 23264-1 (IT Security Techniques -- Redaction of Authentic Data -- Part:1 General) and ISO 23264-2 (IT Security Techniques -- Redaction of Authentic Data -- Part:2 Redactable signature schemes based on asymmetric mechanisms). Active within the German national body as member of the ISO SC27 delegation and expert.

What ICT Challenges are you addressing in the ICT standardisation area?

One example why this field of cryptography would need standardisation to be used in ICT is that while the cryptographic mechanisms that I standardise are over 5-20 years old, the field of research was not using a harmonised language to start with. So in order to foster the understanding that is needed to implement them technically they need to be standardised to become understood and interoperable. This is further needed because for digital signatures to be useful in practice they need legal acceptance as so-called advanced electronic signatures (e.g. eIDAS). So having them in an ISO standard this will allow them to become added to lists of legally accepted algorithms. So standardisation will help to put these modern and useful security and privacy-preserving mechanisms in place in the near future.

How, if implemented will this make a difference in a specific context?

Having new algorithms that interfere with the current understanding and technical flow of existing digital/electronic signatures will have a hard time to be used in practice if not standardised. The reason is that only with an agreed international understanding (e.g. an intl. standard) comes the possibility of legal acceptance. Once standardised the next step is to add them to lists of legally accepted algorithms. The main selling point is that those digital signatures achieve eIDAS conformity but additionally allow GDPR compliant deletion of signed data.

Are there any best practices that you are aware of that put into practice these challenges described ?

The European research projects RERUM and PRISMACLOUD have already produced prototypes for using these advanced digital signatures for increased security in Cloud and IoT.

What future actions or further specifications work would be necessary to undertake within an ICT Standards context?

The standardisation process within ISO 27 WG2 (Cryptograpjic Mechanisms) takes years. It will take 2 more years and at least 4 more meetings to finish the standardisation. We have reached the last Working Draft (WD) level with the standard on algorithms and with the more general standard on processes and terminology we already have committee drafts (CD) which can only be changed and voted on by National Bodies (so not so open anymore). The progress is good, but the process within ISO SC27 WG2 needs a certain time.